Re: Can't get to windowsupdate.microsoft.com from inside DMZ

mikez · ‎12-03-2002

Greetings,

From my inside interface, users have no problem geting Microsoft updates. Not so from within my DMZ. Even though I have the PIX configured to allow the PC in the DMZ to start an outbound connection (i.e. browser can get to web servers on the Internet just fine), the "windowsupdate" page does not work. On a Sniffer, I can see what I assume is ActiveX trying to start return connections on high port numbers, in order to do the "scan for updates". Nevertheless, even though I tried to make it wide open for inbound connections to this particular PC, I still could not get it to work. Can anybody please tell me what I'm missing here?

THANKS,

-Mike Z-

Texas

bosoro · ‎12-04-2002

Mike,

Are you performing ActiveX filtering on the PIX for any interface? Have you tried to put this PC that does not work in the DMZ on the "Inside" network with the same result, or is it able to update accordingly?

What other inbound or outbound filters do you have setup for your Outside Interface, DMZ, and Inside interface?

There is probably just something simple that you haven't caught yet.

Good Luck

-Bryan

mikez · ‎12-05-2002

Hey Bryan,

THANKS for the reply. Yea, I figure it's "something simple" too, but I'm running out of ideas at this point.

No, I'm not doing any Java or ActiveX filtering. Other than that, about the filtering I'm doing is "content filtering" using Websense.

The PC in question has a private address. On outbound connections, I'm NATing it to the same IP as the public address defined for inbound connections via a static statement.

I've not tried moving the PC out of the DMZ, because I don't want to have to take it down and change its' IP address.

Regards,

-Mike Z-